New user question

[kanes]

Hi, all

I just purchased the Pro version and installed it last night. Turned protection on and ran a quick scan. Scan came up clean:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.09.13.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

ewk :: STEVE-97E23CD04 [limited]

Protection: Disabled

9/13/2012 8:24:21 PM

mbam-log-2012-09-13 (20-24-21).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 148431

Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

So, I go to bed, and this morning find the following protection logs:

2012/09/13 20:38:50 -0700 STEVE-97E23CD04 steve MESSAGE Starting protection

2012/09/13 20:38:50 -0700 STEVE-97E23CD04 steve MESSAGE Protection started successfully

2012/09/13 20:38:50 -0700 STEVE-97E23CD04 steve MESSAGE Starting IP protection

2012/09/13 20:38:52 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection started successfully

2012/09/13 20:38:56 -0700 STEVE-97E23CD04 steve MESSAGE Executing scheduled update: Daily

2012/09/13 20:40:18 -0700 STEVE-97E23CD04 steve MESSAGE Starting database refresh

2012/09/13 20:40:18 -0700 STEVE-97E23CD04 steve MESSAGE Stopping IP protection

2012/09/13 20:40:18 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection stopped successfully

2012/09/13 20:40:18 -0700 STEVE-97E23CD04 steve MESSAGE Scheduled update executed successfully: database updated from version v2012.09.07.13 to version v2012.09.13.10

2012/09/13 20:40:23 -0700 STEVE-97E23CD04 steve MESSAGE Database refreshed successfully

2012/09/13 20:40:23 -0700 STEVE-97E23CD04 steve MESSAGE Starting IP protection

2012/09/13 20:40:25 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection started successfully

2012/09/13 20:40:28 -0700 STEVE-97E23CD04 steve MESSAGE Starting database refresh

2012/09/13 20:40:28 -0700 STEVE-97E23CD04 steve MESSAGE Stopping IP protection

2012/09/13 20:40:28 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection stopped successfully

2012/09/13 20:40:35 -0700 STEVE-97E23CD04 steve MESSAGE Database refreshed successfully

2012/09/13 20:40:35 -0700 STEVE-97E23CD04 steve MESSAGE Starting IP protection

2012/09/13 20:40:38 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection started successfully

2012/09/13 21:43:08 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.108 (Type: outgoing)

2012/09/13 21:43:11 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.108 (Type: outgoing)

2012/09/13 21:43:17 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.108 (Type: outgoing)

2012/09/13 21:54:28 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.17.33 (Type: outgoing)

2012/09/13 23:09:53 -0700 STEVE-97E23CD04 ewk IP-BLOCK 85.31.101.229 (Type: outgoing)

2012/09/13 23:10:05 -0700 STEVE-97E23CD04 ewk IP-BLOCK 212.117.180.144 (Type: outgoing)

2012/09/13 23:19:04 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/13 23:19:07 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/13 23:19:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/13 23:19:25 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:19:28 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:19:35 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:20:55 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:20:58 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:21:04 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/13 23:21:16 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/13 23:21:19 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/13 23:21:25 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/13 23:38:35 -0700 STEVE-97E23CD04 ewk IP-BLOCK 83.128.59.159 (Type: outgoing)

2012/09/13 23:53:19 -0700 STEVE-97E23CD04 ewk IP-BLOCK 79.135.141.150 (Type: outgoing)

and

2012/09/14 00:08:03 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.241.191.211 (Type: outgoing)

2012/09/14 00:37:11 -0700 STEVE-97E23CD04 ewk IP-BLOCK 79.135.135.66 (Type: outgoing)

2012/09/14 01:37:55 -0700 STEVE-97E23CD04 ewk IP-BLOCK 204.124.182.102 (Type: outgoing)

2012/09/14 01:38:06 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.241.191.52 (Type: outgoing)

2012/09/14 01:54:45 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.83.203 (Type: outgoing)

2012/09/14 01:54:48 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.85.246 (Type: outgoing)

2012/09/14 01:54:49 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.83.1 (Type: outgoing)

2012/09/14 02:02:29 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:02:32 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:02:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:02:50 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:04:20 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:04:23 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:04:29 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:04:41 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:04:44 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:04:50 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:10:10 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:10:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:10:19 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:11:43 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:11:46 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:11:52 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:12:04 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:12:07 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:12:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:12:25 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:16:00 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:16:03 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:16:09 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:16:21 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:16:24 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:17:30 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:17:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:17:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:17:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:17:54 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:18:00 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:19:28 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:19:31 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:19:37 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:23:53 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:23:55 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:23:58 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.69.212.194 (Type: outgoing)

2012/09/14 02:24:01 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:25:01 -0700 STEVE-97E23CD04 ewk IP-BLOCK 212.113.35.100 (Type: outgoing)

2012/09/14 02:25:30 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:25:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:25:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:25:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:25:54 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:26:00 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:26:56 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:26:59 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:27:06 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:27:18 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:27:21 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:27:27 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:28:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/14 02:28:54 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/14 02:29:00 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/14 02:31:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:31:16 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:31:22 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/14 02:31:34 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:31:37 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:33:08 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:33:11 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:33:17 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/14 02:33:29 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:33:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:33:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:34:53 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:34:56 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:35:02 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/14 02:37:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.17.33 (Type: outgoing)

2012/09/14 02:52:28 -0700 STEVE-97E23CD04 ewk IP-BLOCK 87.248.188.235 (Type: outgoing)

2012/09/14 02:52:34 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.85.53 (Type: outgoing)

2012/09/14 03:09:03 -0700 STEVE-97E23CD04 ewk IP-BLOCK 93.190.109.157 (Type: outgoing)

2012/09/14 03:37:40 -0700 STEVE-97E23CD04 ewk IP-BLOCK 121.125.41.91 (Type: outgoing)

2012/09/14 04:06:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.186.73.209 (Type: outgoing)

2012/09/14 04:23:01 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.64.99.247 (Type: outgoing)

2012/09/14 04:23:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 79.135.153.79 (Type: outgoing)

2012/09/14 05:10:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 95.79.91.16 (Type: outgoing)

2012/09/14 05:19:54 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.98 (Type: outgoing)

2012/09/14 05:19:57 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.98 (Type: outgoing)

2012/09/14 05:20:03 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.98 (Type: outgoing)

2012/09/14 05:20:15 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.88 (Type: outgoing)

2012/09/14 05:20:18 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.88 (Type: outgoing)

2012/09/14 05:20:24 -0700 STEVE-97E23CD04 ewk IP-BLOCK 199.21.148.88 (Type: outgoing)

2012/09/14 05:25:35 -0700 STEVE-97E23CD04 ewk IP-BLOCK 59.34.186.237 (Type: outgoing)

2012/09/14 05:25:40 -0700 STEVE-97E23CD04 ewk IP-BLOCK 46.249.59.245 (Type: outgoing)

2012/09/14 05:40:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 117.205.48.159 (Type: outgoing)

2012/09/14 06:54:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 77.74.36.91 (Type: outgoing)

My question - is this normal? Do I in fact have a virus?

Please advise.

Thanks!

[screen317]

Hi and welcome to Malwarebytes.

Let's see if you're infected or not. The outgoing connection means that something is connecting to the outside (since you're on XP, we can't tell what for certain, yet). It may be malware or it may be another program. Let's investigate.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[kanes]

Hi!

Thanks for the quick response. The MBAM .txt is below. DDS will not complete on my system. The system locks up and I have to power down (Ctl-Alt-Del doesn't work).

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.14.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

steve :: STEVE-97E23CD04 [administrator]

Protection: Enabled

9/14/2012 8:12:24 PM

mbam-log-2012-09-14 (20-12-24).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 227759

Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[kanes]

Hi, all

Here's an update - we found another virus - see the following protection log:

2012/09/18 00:15:37 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.241.185.18 (Type: outgoing)

2012/09/18 00:30:07 -0700 STEVE-97E23CD04 ewk IP-BLOCK 195.161.7.61 (Type: outgoing)

2012/09/18 00:30:09 -0700 STEVE-97E23CD04 ewk IP-BLOCK 77.78.218.109 (Type: outgoing)

2012/09/18 00:39:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 00:39:42 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 00:39:48 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 01:13:24 -0700 STEVE-97E23CD04 ewk IP-BLOCK 212.117.178.201 (Type: outgoing)

2012/09/18 01:27:47 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 01:27:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 01:27:57 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 03:15:12 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.17.33 (Type: outgoing)

2012/09/18 03:28:10 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:12 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:19 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:30 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:34 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:40 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:52 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:28:55 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:29:01 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:29:13 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:29:16 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:29:21 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 03:29:41 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:29:44 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:29:50 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:29:58 -0700 STEVE-97E23CD04 ewk IP-BLOCK 188.130.177.8 (Type: outgoing)

2012/09/18 03:30:02 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:05 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:11 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:23 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:26 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:32 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:44 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:47 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:30:53 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 03:43:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 81.163.138.163 (Type: outgoing)

2012/09/18 03:43:57 -0700 STEVE-97E23CD04 ewk IP-BLOCK 188.130.177.8 (Type: outgoing)

2012/09/18 03:43:58 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.64.217.222 (Type: outgoing)

2012/09/18 04:41:46 -0700 STEVE-97E23CD04 ewk IP-BLOCK 188.130.177.8 (Type: outgoing)

2012/09/18 04:56:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.17.33 (Type: outgoing)

2012/09/18 05:12:43 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 05:12:46 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 05:12:52 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 05:38:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 83.128.59.159 (Type: outgoing)

2012/09/18 05:56:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 05:56:41 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 05:56:47 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 05:56:59 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 05:57:02 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 05:57:08 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 05:57:22 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 06:09:56 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.70.2 (Type: outgoing)

2012/09/18 06:24:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 219.153.145.47 (Type: outgoing)

2012/09/18 06:38:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.240.228.96 (Type: outgoing)

2012/09/18 07:56:02 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.240.143.220 (Type: outgoing)

2012/09/18 08:20:35 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 08:20:38 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 08:20:44 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.3 (Type: outgoing)

2012/09/18 08:40:20 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/18 08:40:23 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/18 08:40:29 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.123 (Type: outgoing)

2012/09/18 08:42:14 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.86.88 (Type: outgoing)

2012/09/18 08:43:08 -0700 STEVE-97E23CD04 ewk IP-BLOCK 91.212.124.9 (Type: outgoing)

2012/09/18 09:30:03 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 09:30:06 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 09:30:12 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.124 (Type: outgoing)

2012/09/18 09:30:24 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 09:30:27 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 09:30:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 206.161.121.126 (Type: outgoing)

2012/09/18 09:31:48 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:31:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:31:57 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:09 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:12 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:18 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:30 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:39 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:51 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:32:54 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:33:00 -0700 STEVE-97E23CD04 ewk IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 09:33:19 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:33:22 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:33:28 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:33:40 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:33:43 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:33:49 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:01 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:04 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:10 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:22 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:25 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 09:34:31 -0700 STEVE-97E23CD04 ewk IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 11:22:57 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.17.33 (Type: outgoing)

2012/09/18 12:06:52 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.51.97 (Type: outgoing)

2012/09/18 12:36:37 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.109.13 (Type: outgoing)

2012/09/18 12:37:36 -0700 STEVE-97E23CD04 ewk IP-BLOCK 91.188.38.219 (Type: outgoing)

2012/09/18 12:50:11 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.121.60 (Type: outgoing)

2012/09/18 13:38:33 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.78.184 (Type: outgoing)

2012/09/18 13:54:23 -0700 STEVE-97E23CD04 ewk IP-BLOCK 89.28.46.193 (Type: outgoing)

2012/09/18 14:23:31 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.76.21.69 (Type: outgoing)

2012/09/18 14:23:48 -0700 STEVE-97E23CD04 ewk IP-BLOCK 58.240.146.116 (Type: outgoing)

2012/09/18 14:33:10 -0700 STEVE-97E23CD04 ewk MESSAGE Executing scheduled update: Daily

2012/09/18 14:33:28 -0700 STEVE-97E23CD04 ewk MESSAGE Scheduled update executed successfully: database updated from version v2012.09.17.09 to version v2012.09.18.09

2012/09/18 14:51:24 -0700 STEVE-97E23CD04 ewk IP-BLOCK 222.69.239.88 (Type: outgoing)

2012/09/18 14:55:09 -0700 STEVE-97E23CD04 ewk MESSAGE Starting database refresh

2012/09/18 14:55:09 -0700 STEVE-97E23CD04 ewk DETECTION C:\Documents and Settings\ewk\ms.exe Trojan.Agent QUARANTINE

2012/09/18 14:55:09 -0700 STEVE-97E23CD04 ewk MESSAGE Stopping IP protection

2012/09/18 14:55:09 -0700 STEVE-97E23CD04 ewk MESSAGE IP Protection stopped successfully

2012/09/18 14:55:09 -0700 STEVE-97E23CD04 ewk ERROR Quarantine failed: DeleteFile failed with error code 5

2012/09/18 14:55:15 -0700 STEVE-97E23CD04 ewk MESSAGE Database refreshed successfully

2012/09/18 14:55:15 -0700 STEVE-97E23CD04 ewk MESSAGE Starting IP protection

2012/09/18 14:55:22 -0700 STEVE-97E23CD04 ewk MESSAGE IP Protection started successfully

2012/09/18 14:58:13 -0700 STEVE-97E23CD04 ewk MESSAGE Starting protection

2012/09/18 14:58:13 -0700 STEVE-97E23CD04 ewk MESSAGE Protection started successfully

2012/09/18 14:58:13 -0700 STEVE-97E23CD04 ewk MESSAGE Starting IP protection

2012/09/18 14:58:23 -0700 STEVE-97E23CD04 ewk MESSAGE IP Protection started successfully

2012/09/18 20:42:55 -0700 STEVE-97E23CD04 ewk MESSAGE Starting protection

2012/09/18 20:42:55 -0700 STEVE-97E23CD04 ewk MESSAGE Protection started successfully

2012/09/18 20:42:55 -0700 STEVE-97E23CD04 ewk MESSAGE Starting IP protection

2012/09/18 20:42:57 -0700 STEVE-97E23CD04 ewk MESSAGE IP Protection started successfully

2012/09/18 20:45:39 -0700 STEVE-97E23CD04 steve MESSAGE Starting protection

2012/09/18 20:45:39 -0700 STEVE-97E23CD04 steve MESSAGE Protection started successfully

2012/09/18 20:45:39 -0700 STEVE-97E23CD04 steve MESSAGE Starting IP protection

2012/09/18 20:45:41 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection started successfully

2012/09/18 20:48:15 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:18 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:24 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:36 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:39 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:45 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:48:57 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:00 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:06 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:18 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:21 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:27 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 20:49:47 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:49:50 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:49:56 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:08 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:11 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:17 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:29 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:32 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:38 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:50 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:53 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:50:59 -0700 STEVE-97E23CD04 steve IP-BLOCK 193.169.86.56 (Type: outgoing)

2012/09/18 20:57:45 -0700 STEVE-97E23CD04 steve MESSAGE Starting protection

2012/09/18 20:57:46 -0700 STEVE-97E23CD04 steve MESSAGE Protection started successfully

2012/09/18 20:57:46 -0700 STEVE-97E23CD04 steve MESSAGE Starting IP protection

2012/09/18 20:57:48 -0700 STEVE-97E23CD04 steve MESSAGE IP Protection started successfully

2012/09/18 21:00:32 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:00:35 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:00:41 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:00:53 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:00:56 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:02 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:14 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:17 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:23 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:35 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:38 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

2012/09/18 21:01:44 -0700 STEVE-97E23CD04 steve IP-BLOCK 94.102.51.152 (Type: outgoing)

Nailed the bad guy:

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.18.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

steve :: STEVE-97E23CD04 [administrator]

Protection: Enabled

9/18/2012 8:46:35 PM

mbam-log-2012-09-18 (20-46-35).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228643

Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\ewk\ms.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

And now we're clean:

Malwarebytes Anti-Malware (PRO) 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.19.01

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

steve :: STEVE-97E23CD04 [administrator]

Protection: Enabled

9/18/2012 9:03:33 PM

mbam-log-2012-09-18 (21-03-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 228708

Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DDS still doesn't run.

Thanks in advance,

Steve

[screen317]

Hi,

Please run DDS as described in my previous post...

[kanes]

Hi Chris,

Tried running DDS again. When I do, the computer locks up. Even the clock stops running(!). Run with administrator privileges - locks up. Reboot into safe mode - locks up. When I tried running with Task Manager, I saw a process called mbr.dat that I could not terminate. Maybe that's our problem.

Thanks for your help with this!

Steve

[screen317]

Hi,

Try running this instead please:

Download OTL.exe by OldTimer to your Desktop.

• Close all windows and double click OTL.exe.
  
• Click Run Scan and let the program run uninterrupted.
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

[kanes]

Hi, Chris

This one worked! Here's the otl.txt:

OTL logfile created on: 9/24/2012 8:31:41 PM - Run 1

OTL by OldTimer - Version 3.2.68.0 Folder = C:\Documents and Settings\steve\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.65% Memory free

5.84 Gb Paging File | 5.40 Gb Available in Paging File | 92.53% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092E:\pagef [binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.08 Gb Total Space | 198.89 Gb Free Space | 66.72% Space Free | Partition Type: NTFS

Drive E: | 74.50 Gb Total Space | 71.09 Gb Free Space | 95.41% Space Free | Partition Type: NTFS

Computer Name: STEVE-97E23CD04 | User Name: steve | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/24 20:31:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe

PRC - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

PRC - [2012/09/07 17:04:44 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe

PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/11/02 20:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe

PRC - [2003/06/25 11:24:48 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

PRC - [2003/05/21 18:37:08 | 000,229,437 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

========== Modules (No Company Name) ==========

MOD - [2006/11/02 20:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe

========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService)

SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\steve\LOCALS~1\Temp\hpdj.exe -- (hpdj)

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)

SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)

SRV - [2006/11/02 20:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- system32\drivers\InCDRm.sys -- (InCDRm)

DRV - File not found [Kernel | System | Stopped] -- system32\drivers\InCDPass.sys -- (InCDPass)

DRV - File not found [File_System | Disabled | Stopped] -- system32\drivers\InCDFs.sys -- (InCDFs)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2010/08/08 14:17:14 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)

DRV - [2008/09/23 10:15:00 | 000,038,400 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)

DRV - [2008/07/25 05:09:24 | 000,845,184 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)

DRV - [2008/02/13 23:12:00 | 001,389,056 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)

DRV - [2007/12/17 02:14:05 | 000,012,400 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)

DRV - [2005/07/01 10:15:06 | 000,025,344 | R--- | M] (Iomega) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\IABFilt.sys -- (IABFilt)

DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\steve\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

O1 HOSTS File: ([2004/08/12 06:19:39 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe ()

O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)

O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 File not found

O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()

O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()

O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()

O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab (Windows Live Safety Center Base Module)

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DDRevision Class)

O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 216.162.205.9

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{66C64F91-B4F0-44EA-8CB8-B1FBA3206388}: DhcpNameServer = 192.168.0.1 216.162.205.9

O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/30 13:52:29 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/24 20:31:06 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe

[2012/09/22 10:57:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Temp

[2012/09/22 10:50:24 | 000,696,240 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/09/18 14:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\jejanyiwrzgxgvg

[2012/09/14 20:20:30 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\My Documents\My Videos

[2012/09/14 20:19:50 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr

[2012/09/13 20:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Malwarebytes

[2012/09/13 20:37:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/09/13 20:37:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2012/09/13 20:37:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/09/13 20:37:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/09/13 20:36:59 | 010,524,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\steve\Desktop\mbam-setup-1.65.0.1400.exe

[2012/09/09 14:28:26 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\steve\Desktop\unhide.exe

[2012/09/09 12:27:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\My Documents\Favorites

[2012/09/09 11:35:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8

[2012/09/08 11:02:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2012/09/08 10:53:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\Recent

[2012/09/08 10:30:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\PCHealth

[2012/09/08 10:26:37 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\steve\Desktop\mbam-setup-1.62.0.1300.exe

[2012/09/01 09:33:18 | 000,157,680 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2012/09/01 09:33:18 | 000,149,488 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2012/09/01 09:33:18 | 000,149,488 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2012/08/28 10:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\APN

[2010/11/07 09:38:54 | 001,062,984 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\steve\gotomypc_540.exe

[2009/10/18 13:54:11 | 000,721,912 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\steve\gotomypc_428.exe

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/24 20:31:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe

[2012/09/24 20:28:49 | 000,013,690 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/09/24 20:27:01 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-2111687655-725345543-1005UA.job

[2012/09/24 20:22:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-2111687655-725345543-1003UA.job

[2012/09/24 13:27:01 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-2111687655-725345543-1005Core.job

[2012/09/24 10:22:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-2111687655-725345543-1003Core.job

[2012/09/23 10:21:18 | 000,002,271 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk

[2012/09/23 09:40:55 | 000,002,259 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk

[2012/09/23 08:43:49 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job

[2012/09/23 08:38:05 | 000,433,122 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2012/09/23 08:38:05 | 000,067,952 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2012/09/23 08:33:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/09/22 10:50:24 | 000,696,240 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2012/09/22 10:50:24 | 000,073,136 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2012/09/18 14:55:19 | 000,097,718 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\emjzcpkbxkzcxqo

[2012/09/14 20:20:01 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\steve\Desktop\dds.scr

[2012/09/14 20:07:57 | 000,404,308 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\MBAM and MSE.pdf

[2012/09/13 20:37:42 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/09/13 20:37:02 | 010,524,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\steve\Desktop\mbam-setup-1.65.0.1400.exe

[2012/09/12 21:05:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2012/09/09 14:28:30 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\steve\Desktop\unhide.exe

[2012/09/09 11:51:19 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2012/09/08 14:17:09 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#deskjet5100#MY36T1Q0ZK7A.job

[2012/09/08 11:19:43 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/09/07 09:25:36 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\steve\Desktop\mbam-setup-1.62.0.1300.exe

[2012/09/07 07:40:02 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-crijK3L8FPSieGr

[2012/09/07 07:40:02 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-crijK3L8FPSieG

[2012/09/07 07:40:01 | 000,000,368 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\crijK3L8FPSieG

[2012/09/01 09:12:00 | 000,198,446 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\bookmark.htm

[2012/08/28 20:44:54 | 011,111,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll

[2012/08/28 20:24:56 | 000,477,168 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\npdeployJava1.dll

[2012/08/28 20:24:53 | 000,473,072 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll

[2012/08/28 20:10:12 | 000,157,680 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2012/08/28 20:10:07 | 000,149,488 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2012/08/28 20:09:57 | 000,149,488 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2012/08/28 18:39:23 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2012/08/28 08:14:53 | 006,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll

[2012/08/28 08:14:53 | 001,212,416 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll

[2012/08/28 08:14:53 | 000,916,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll

[2012/08/28 08:14:53 | 000,630,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll

[2012/08/28 08:14:53 | 000,630,272 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll

[2012/08/28 08:14:53 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mstime.dll

[2012/08/28 08:14:53 | 000,611,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstime.dll

[2012/08/28 08:14:53 | 000,521,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll

[2012/08/28 08:14:53 | 000,206,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\occache.dll

[2012/08/28 08:14:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\url.dll

[2012/08/28 08:14:53 | 000,105,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\url.dll

[2012/08/28 08:14:53 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtmled.dll

[2012/08/28 08:14:53 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll

[2012/08/28 08:14:53 | 000,055,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll

[2012/08/28 08:14:53 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\licmgr10.dll

[2012/08/28 08:14:53 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\licmgr10.dll

[2012/08/28 08:14:53 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jsproxy.dll

[2012/08/28 08:14:53 | 000,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsproxy.dll

[2012/08/28 08:14:52 | 002,000,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll

[2012/08/28 08:14:52 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcpl.cpl

[2012/08/28 08:14:52 | 001,469,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcpl.cpl

[2012/08/28 08:14:52 | 000,743,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll

[2012/08/28 08:14:52 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iedkcs32.dll

[2012/08/28 08:14:52 | 000,387,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedkcs32.dll

[2012/08/28 08:14:52 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll

[2012/08/28 08:14:52 | 000,184,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll

[2012/08/28 05:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ie4uinit.exe

[2012/08/28 05:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ie4uinit.exe

[2012/08/28 05:07:15 | 000,385,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\html.iec

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/22 10:42:15 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk

[2012/09/18 14:55:09 | 000,097,718 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\emjzcpkbxkzcxqo

[2012/09/14 20:07:53 | 000,404,308 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\MBAM and MSE.pdf

[2012/09/13 20:37:42 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/09/09 11:51:19 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

[2012/09/09 11:51:19 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\steve\Start Menu\Programs\Internet Explorer.lnk

[2012/09/07 07:40:02 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-crijK3L8FPSieGr

[2012/09/07 07:40:02 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-crijK3L8FPSieG

[2012/09/07 07:39:58 | 000,000,368 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\crijK3L8FPSieG

[2012/08/28 09:22:39 | 000,566,449 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\The Extermination of the NAT monster.pdf

[2012/08/13 15:32:28 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI

[2012/02/18 15:04:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/01/07 16:36:11 | 000,086,016 | ---- | C] () -- C:\WINDOWS\OPDIRDEL.exe

[2012/01/07 15:21:21 | 000,000,569 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2012/01/07 15:20:26 | 000,000,022 | ---- | C] () -- C:\WINDOWS\OP70.INI

[2012/01/07 15:19:18 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini

[2012/01/07 15:18:34 | 000,001,008 | ---- | C] () -- C:\WINDOWS\pstudio.ini

[2012/01/07 15:18:34 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini

[2012/01/07 15:18:34 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini

[2011/06/17 07:14:30 | 000,009,926 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\03a8uy7g36f2l3g843er.bad

[2011/05/14 19:22:58 | 000,014,340 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5

[2010/04/25 10:29:07 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\steve\default.pls

[2009/12/13 12:09:52 | 000,000,067 | ---- | C] () -- C:\Documents and Settings\steve\FORM.INI

[2009/08/30 14:34:49 | 001,386,064 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe

========== ZeroAccess Check ==========

[2011/06/25 15:32:23 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2010/03/09 21:33:41 | 001,509,888 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

[kanes]

And here's the extras.txt:

OTL Extras logfile created on: 9/24/2012 8:31:41 PM - Run 1

OTL by OldTimer - Version 3.2.68.0 Folder = C:\Documents and Settings\steve\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.65% Memory free

5.84 Gb Paging File | 5.40 Gb Available in Paging File | 92.53% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092E:\pagef [binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.08 Gb Total Space | 198.89 Gb Free Space | 66.72% Space Free | Partition Type: NTFS

Drive E: | 74.50 Gb Total Space | 71.09 Gb Free Space | 95.41% Space Free | Partition Type: NTFS

Computer Name: STEVE-97E23CD04 | User Name: steve | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)

InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Generate MD5 Signatures] -- "C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\mkwACT.exe" (Michael K. Weise)

Directory [Renamer] -- C:\Program Files\Renamer\Renamer.exe %0 (Frilans)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\uTorrent\utorrent.exe" = C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business

"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client

"{12665B01-3F3A-4433-B179-9D8E352D7547}" = Try Corel Snapfire muvee autoProducer add on

"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform

"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java 6 Update 35

"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate

"{6ABAF1E2-BEB6-4C32-BD9F-0CA733EE7453}" = Iomega Automatic Backup Pro

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 5

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)

"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C167A588-87AA-47BF-A88E-5B0F9A14480D}" = InterVideo DVDCopy5

"{C93369CB-B4E9-E095-9289-E6B5AE941033}" = Nero 7 Demo

"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E0828692-FD9D-459F-9312-C645C3CA6650}" = HP Photo and Imaging 2.0 - Deskjet Series

"{E0A1559B-9886-11D4-8D06-0050DA284A39}" = Scan Manager 5.2

"{FB686487-C637-4EEF-BCB1-C92463F2CC05}" = Atheros Ethernet Utility

"{FEDA56C4-82F3-46DD-8B50-FC592BBE1C0D}" = hp deskjet 5100

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"ArcSoft PhotoBase" = ArcSoft PhotoBase

"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000

"Canon ScanGear Toolbox 3.0" = Canon ScanGear Toolbox 3.0

"Digital Editions" = Adobe Digital Editions

"Exact Audio Copy" = Exact Audio Copy 0.99pb5

"Exact Audio Copy_is1" = Exact Audio Copy v0.9 beta 4

"FileZilla Client" = FileZilla Client 3.3.2.1

"FLAC" = FLAC 1.2.1b (remove only)

"Free Download Manager_is1" = Free Download Manager 3.0

"HDMI" = Intel® Graphics Media Accelerator Driver

"hp print screen utility" = hp print screen utility

"ie8" = Windows Internet Explorer 8

"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Security Client" = Microsoft Security Essentials

"mkwACT" = mkw Audio Compression Toolkit

"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0

"QuickTime" = QuickTime

"Renamer" = Renamer (remove only)

"TradersLittleHelper_is1" = Trader's Little Helper 2.4.1

"uTorrent" = µTorrent

"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner

"Windows Media Format Runtime" = Windows Media Format Runtime

"Windows XP Service Pack" = Windows XP Service Pack 3

"YTdetect" = Yahoo! Detect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 9/11/2012 7:48:22 PM | Computer Name = STEVE-97E23CD04 | Source = MPSampleSubmission | ID = 5000

Description = EventType avsubmit, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P2 1.1.8704.0, P3 1.135.903.0, P4 1.135.903.0, P5 200045b328e036fe_71b3385c1c1c7fd39aaf9cf73ea43ea52d22e7dd,

P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 9/11/2012 10:53:22 PM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting

module unknown, version 0.0.0.0, fault address 0x01168246.

Error - 9/11/2012 11:04:27 PM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting

module unknown, version 0.0.0.0, fault address 0x01168246.

Error - 9/12/2012 11:58:36 AM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting

module unknown, version 0.0.0.0, fault address 0x01168246.

Error - 9/12/2012 6:45:08 PM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module unknown, version 0.0.0.0, fault address 0x0c9ce74d.

Error - 9/12/2012 11:45:21 PM | Computer Name = STEVE-97E23CD04 | Source = MPSampleSubmission | ID = 5000

Description = EventType avsubmit, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P2 1.1.8704.0, P3 1.135.1136.0, P4 1.135.1136.0, P5 2000d2b330a1bb51_761ae249032f44cbaa7a0a400a5f20cd65b84b06,

P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 9/13/2012 10:38:34 PM | Computer Name = STEVE-97E23CD04 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/17/2012 5:05:02 AM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module urlmon.dll, version 8.0.6001.19298, fault address 0x0003e542.

Error - 9/20/2012 10:36:33 AM | Computer Name = STEVE-97E23CD04 | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module mshtml.dll, version 8.0.6001.19298, fault address 0x00095b46.

Error - 9/21/2012 11:11:34 PM | Computer Name = STEVE-97E23CD04 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 9/21/2012 12:14:31 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: %%31

Error - 9/21/2012 12:14:31 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 9/21/2012 12:14:31 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD AsIO Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 9/21/2012 12:45:24 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7000

Description = The hpdj service failed to start due to the following error: %%2

Error - 9/22/2012 11:01:04 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7000

Description = The hpdj service failed to start due to the following error: %%2

Error - 9/22/2012 1:07:33 PM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7000

Description = The hpdj service failed to start due to the following error: %%2

Error - 9/22/2012 1:46:09 PM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7000

Description = The hpdj service failed to start due to the following error: %%2

Error - 9/22/2012 2:58:02 PM | Computer Name = STEVE-97E23CD04 | Source = DCOM | ID = 10010

Description = The server {66B093B7-B5E3-4CFE-B32B-FEB55F172481} did not register

with DCOM within the required timeout.

Error - 9/23/2012 11:35:25 AM | Computer Name = STEVE-97E23CD04 | Source = Service Control Manager | ID = 7000

Description = The hpdj service failed to start due to the following error: %%2

Error - 9/23/2012 1:36:55 PM | Computer Name = STEVE-97E23CD04 | Source = DCOM | ID = 10010

Description = The server {66B093B7-B5E3-4CFE-B32B-FEB55F172481} did not register

with DCOM within the required timeout.

< End of report >

Hope this helps!

Thanks

Steve

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

If after ComboFix reboots you get a message about an "Invalid Option Registry Key Marked for Deletion," please reboot again and the error will go away.

-screen317

[kanes]

Hi,

Thanks for your response. ComboFix was unable to complete. The computer locked up, both in Windows and in safe mode. ComboFix stopped at the "However, scan times..." display. The "ComboFix has changed your clock settings." display never appeared. The "Completed Stage_1" display never appeared. As you may recall, dds locked up as well.

Hope you can help with this.

Steve

[screen317]

Hi,

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet. Before you download it, rename it to sega.com (ensure that the Save As type is "All Files").

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\sega.com" /killall

See if it will run successfully now. Stop it after half an hour of no activity.

[kanes]

Hi, Chris

This is a tough one! Deleted old combofix. Grabbed a new one downloaded as sega.com. Rebooted to safe mode (no networking), and did start -> run "%userprofile%\desktop\sega.com" /killall as you said.

Program hung on the "...badly infected machines may easily double" line. "...changed your clock settings." did not display. The clock, however, continued to run.

After half an hour, attempted to stop it, but had to power down (with the power button).

Steve

[screen317]

Hi Steve,

Okay let's try another route.

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

[kanes]

This is a toughie! Downloaded and ran TDSSkiller as requested. Let it run overnight. No reboot prompt no runtime log.

Steve

[screen317]

Hi,

Please open a ticket on our Help Desk here:

http://helpdesk.malwarebytes.org/home

Ask for me in your ticket, and we will troubleshoot further from there. Give me your ticket number so I know where to find you.

[kanes]

_{Hi, Chris}

_{Started request 277914. Don't have the Cleverbridge email, so I attached the unlocking keys I received when I purchased the MBAM Pro.}

_Thanks!

_Steve

[screen317]

Replied on Help Desk! Will close this topic.

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.